Managed rules for AWS Config (#690)

Author: zdmytriv

modules/aws-config/README.md

@@ -80,6 +80,14 @@ components:
             parameter_overrides:
           ...
           (etc)
+        managed_rules:
+          access-keys-rotated:
+            identifier: ACCESS_KEYS_ROTATED
+            description: "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
+            input_parameters:
+              maxAccessKeyAge: "30"
+            enabled: true
+            tags: {}
 ```
 
 ## Deployment
@@ -171,6 +179,7 @@ atmos terraform plan aws-config-{each region} --stack {each region}-{each stage}
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
+| <a name="input_managed_rules"></a> [managed\_rules](#input\_managed\_rules) | A list of AWS Managed Rules that should be enabled on the account.<br><br>See the following for a list of possible rules to enable:<br>https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html<br><br>Example:<pre>managed_rules = {<br>  access-keys-rotated = {<br>    identifier  = "ACCESS_KEYS_ROTATED"<br>    description = "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."<br>    input_parameters = {<br>      maxAccessKeyAge : "90"<br>    }<br>    enabled = true<br>    tags = {}<br>  }<br>}</pre> | <pre>map(object({<br>    description      = string<br>    identifier       = string<br>    input_parameters = any<br>    tags             = map(string)<br>    enabled          = bool<br>  }))</pre> | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_privileged"></a> [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no |

modules/aws-config/main.tf

@@ -65,6 +65,7 @@ module "aws_config" {
   s3_bucket_arn    = local.s3_bucket.config_bucket_arn
   create_iam_role  = local.create_iam_role
   iam_role_arn     = local.config_iam_role_arn
+  managed_rules    = var.managed_rules
   create_sns_topic = true
 
   global_resource_collector_region   = var.global_resource_collector_region

modules/aws-config/variables.tf

@@ -123,3 +123,35 @@ variable "iam_roles_environment_name" {
   description = "The name of the environment where the IAM roles are provisioned"
   default     = "gbl"
 }
+
+variable "managed_rules" {
+  description = <<-DOC
+    A list of AWS Managed Rules that should be enabled on the account.
+
+    See the following for a list of possible rules to enable:
+    https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
+
+    Example:
+    ```
+    managed_rules = {
+      access-keys-rotated = {
+        identifier  = "ACCESS_KEYS_ROTATED"
+        description = "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
+        input_parameters = {
+          maxAccessKeyAge : "90"
+        }
+        enabled = true
+        tags = {}
+      }
+    }
+    ```
+  DOC
+  type = map(object({
+    description      = string
+    identifier       = string
+    input_parameters = any
+    tags             = map(string)
+    enabled          = bool
+  }))
+  default = {}
+}